Configuration Reference
All configuration lives in config/siem.php (publish it with php artisan vendor:publish --tag=siem-config). This page lists every key, its environment variable, and its default.
Master switch#
| Key |
Env |
Default |
Description |
enabled |
SIEM_ENABLED |
true |
Disable to stop all collection and shipping without removing middleware or listeners |
Service identity#
Attached to every event as ECS service.* fields so the SOC can attribute events to a system.
| Key |
Env |
Default |
service.name |
SIEM_SERVICE_NAME |
APP_NAME |
service.environment |
SIEM_SERVICE_ENV |
APP_ENV |
Sinks#
| Key |
Env |
Default |
Description |
sinks.active |
SIEM_SINKS |
log |
Comma-separated list of destinations: sentinel, wazuh, syslog, slack, teams, log, null |
Any sink entry may define minimum_severity — events below that level are not shipped to that sink. See the individual sink pages for their full settings:
Queue shipping#
| Key |
Env |
Default |
Description |
queue.enabled |
SIEM_QUEUE |
true |
Ship events on the queue (recommended) |
queue.connection |
SIEM_QUEUE_CONNECTION |
app default |
Queue connection |
queue.name |
SIEM_QUEUE_NAME |
siem |
Queue name |
queue.tries |
— |
3 |
Delivery attempts per sink |
queue.backoff |
— |
[5, 30, 120] |
Seconds between retries |
GeoIP enrichment#
| Key |
Env |
Default |
Description |
geoip.enabled |
SIEM_GEOIP |
false |
Add ECS source.geo.* fields at delivery time |
geoip.driver |
SIEM_GEOIP_DRIVER |
maxmind |
maxmind (local database) or ipapi (HTTP) |
geoip.cache_minutes |
— |
1440 |
Per-IP lookup cache TTL |
geoip.maxmind.database |
SIEM_GEOIP_MMDB |
storage/app/geoip/GeoLite2-City.mmdb |
Path to the .mmdb file |
geoip.ipapi.url |
SIEM_GEOIP_URL |
ip-api.com template |
Lookup URL; {ip} is substituted |
geoip.ipapi.timeout |
— |
3 |
HTTP timeout in seconds |
Event collection#
| Key |
Env |
Default |
Description |
events.authentication.enabled |
SIEM_EVENTS_AUTH |
true |
Master toggle for auth listeners |
events.authentication.login_succeeded |
— |
true |
Per-event toggles also exist for login_failed, logout, registered, password_reset, lockout, email_verified |
events.minimum_severity |
SIEM_MIN_SEVERITY |
info |
Global severity floor; events below it are dropped entirely |
Honeypots#
Route honeypots — honeypots.routes#
| Key |
Env |
Default |
Description |
enabled |
SIEM_HONEYPOT_ROUTES |
true |
Register decoy routes |
paths |
— |
see below |
Decoy URIs; strings or arrays with path, methods, where |
response_status |
— |
404 |
HTTP status returned to the attacker |
tarpit_ms |
SIEM_HONEYPOT_TARPIT |
0 |
Delay the response up to N ms (0 disables) |
auto_block |
SIEM_HONEYPOT_AUTOBLOCK |
true |
Block the source IP after a hit |
block_minutes |
— |
1440 |
Block duration |
Default decoy paths include .env, .git/config, wp-login.php, wp-admin, xmlrpc.php, phpmyadmin, backup.sql and other high-signal probe targets.
| Key |
Env |
Default |
Description |
field |
SIEM_HONEYPOT_FIELD |
website_url_confirm |
Name of the invisible input |
timer_field |
SIEM_HONEYPOT_TIMER_FIELD |
_hp_time |
Name of the encrypted timestamp input |
min_seconds |
— |
2 |
Submissions faster than this are treated as bots |
respond |
— |
reject |
reject (422) or silent (fake success) |
Endpoint abuse detection — abuse#
| Key |
Env |
Default |
Description |
window_minutes |
— |
1 |
Detection window |
auth_failures_threshold |
SIEM_ABUSE_AUTH_THRESHOLD |
10 |
401/403/419/423 responses → brute_force_detected |
not_found_threshold |
SIEM_ABUSE_404_THRESHOLD |
25 |
404s → scanning_detected |
throttled_threshold |
SIEM_ABUSE_429_THRESHOLD |
5 |
429s → rate_limit_abuse |
request_threshold |
SIEM_ABUSE_REQUEST_THRESHOLD |
0 |
Total requests → endpoint_abuse (0 disables) |
auto_block |
SIEM_ABUSE_AUTOBLOCK |
false |
Block the offender when a detection fires |
block_minutes |
— |
60 |
Block duration |
Resource enumeration detection — enumeration#
| Key |
Env |
Default |
Description |
window_minutes |
— |
5 |
Detection window (fixed, not sliding) |
sequential_threshold |
SIEM_ENUM_SEQUENTIAL |
5 |
Constant-stride numeric ID run length |
max_stride |
— |
1000 |
Strides larger than this don't count as sequential |
distinct_threshold |
SIEM_ENUM_DISTINCT |
15 |
Distinct IDs touched per route pattern |
miss_ratio |
— |
0.5 |
Share of 404/403/410 responses |
miss_min_requests |
— |
10 |
Minimum requests before the miss ratio applies |
auto_block |
SIEM_ENUM_AUTOBLOCK |
false |
Block the scanner |
block_minutes |
— |
60 |
Block duration |
Egress monitoring — egress#
Watches outgoing HTTP calls (Http client) per destination host. Alert-only. See Egress Monitoring.
| Key |
Env |
Default |
Description |
enabled |
SIEM_EGRESS |
false |
Subscribe to HTTP client events and monitor outbound calls |
ignore_hosts |
SIEM_EGRESS_IGNORE |
[] |
Hosts never monitored (sink/GeoIP hosts are auto-suppressed) |
bucket_seconds |
— |
60 |
Counting bucket size for spike baselining |
new_destination.enabled |
SIEM_EGRESS_NEW_DEST |
true |
Alert on first-ever call to a host |
new_destination.ttl_minutes |
— |
43200 |
How long a host stays "known" (30 days) |
spike.enabled |
SIEM_EGRESS_SPIKE |
true |
Alert on volume above rolling baseline |
spike.history_buckets |
— |
30 |
Baseline window = this × bucket_seconds |
spike.multiplier |
— |
5 |
Fire at multiplier × baseline |
spike.min_count |
— |
20 |
Absolute floor so low volume never trips |
limits.window_minutes |
— |
1 |
Hard-limit window |
limits.default |
SIEM_EGRESS_LIMIT |
0 |
Default per-host cap (0 = none) |
limits.targets |
— |
[] |
Per-host caps, e.g. ['api.stripe.com' => 1000] |
errors.enabled |
— |
true |
Alert on failed-response surges |
errors.window_minutes |
— |
1 |
Error-spike window |
errors.threshold |
SIEM_EGRESS_ERROR_THRESHOLD |
25 |
4xx/5xx/failures per host per window |
Request threat scanner — scanner#
| Key |
Env |
Default |
Description |
block |
SIEM_SCANNER_BLOCK |
false |
Reject flagged requests with 400 (detection-only by default) |
except_inputs |
— |
password, password_confirmation |
Input keys skipped entirely |
max_value_length |
— |
8192 |
Only the first N characters of each value are scanned |
IP blocklist — blocklist#
| Key |
Env |
Default |
Description |
enabled |
SIEM_BLOCKLIST |
true |
Enforce the blocklist in siem.block middleware |
cache_store |
SIEM_CACHE_STORE |
app default |
Cache store backing the blocklist |
response_status |
— |
403 |
Status returned to blocked IPs |
never_block |
SIEM_NEVER_BLOCK |
127.0.0.1,::1 |
IPs/CIDRs that can never be auto-blocked |
Privacy — privacy#
| Key |
Env |
Default |
Description |
redact_keys |
— |
password, token, api_key, ... |
Context keys replaced with [REDACTED] (recursive) |
hash_usernames |
SIEM_HASH_USERNAMES |
false |
Ship user.name as a sha256 hash |
include_request_body |
SIEM_INCLUDE_BODY |
false |
Reserved for shipping request bodies with events |